We use this tool as well. Works great. Helps us identify why accounts are locked or users can't log in.
We use both LDAP & AD for authentication, depending on the service. We added a note that when users click the change password link, that it pops up tell them to ensure that they have closed all their email programs. Those with mapped network drives that are not on the domain, that they'll need to unmap and remap. That they'll need to update the new password on all devices one at a time, including wireless. This has helped decrease the number of calls to the help desk. -jack From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John McMillan Sent: Monday, April 14, 2014 5:06 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: account lockouts when changing passwords We use ManageEngine ADAudit for this. It's reasonably priced and a lot easier than searching event id's in the AD logs. On Mon, Apr 14, 2014 at 4:03 PM, Danny Eaton <dannyea...@rice.edu<mailto:dannyea...@rice.edu>> wrote: I had this problem due a VM trying to connect to a shared network drive using cached credentials and locking out the account. I'll pass this info on to my AD folks - thanks! From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Jeffrey Sessler Sent: Monday, April 14, 2014 4:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] account lockouts when changing passwords If you're using AD as your authentication source, look at implementing "Password history check (N-2)" With Password history check (N-2), as long as the password being used is one of the last two in the history file, the bad password count is not incremented... thus, no account lockout when using an old, but valid password. That is, while the user can't authenticate using the old password (it still fails as an incorrect password), account lookout doesn't occur. It works around the problem where a user changes their password on say their desktop, and then their mobile device instantly locks their account as it attempts to auth on WPA. Jeff ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.